Zero-Day Attack Compromises a Half-Million Web Forum Accounts—Report

Forum software-makers vBulletin and Foxit Software may have been breached by a hacker claiming to have made off with personal data belonging to some 479,895 users between the two.

“Coldzer0” said in a post co-authored with @Cyber_War_News that he exploited the same zero-day vulnerability for both domains, and was able to access user IDs, full names, email addresses, security questions and corresponding answers (both in plain text) and salted passwords for hundreds of thousands of users.

For its part, vBulletin has confirmed that an attack happened: “Very recently, our security team discovered a sophisticated attack on our network,” the company said in a post. “Our investigation indicates that the attacker may have accessed customer IDs and encrypted passwords on our systems.”

The issue affects vBulletin versions 5.1.4 to 5.1.9, it said, and has issued a patch, presumably for the zero-day, and has also forced a password reset for all of its users.

Tod Beardsley, principal security research manager at Rapid7, said in an email that it looks like the vBulletin attack was due to an SQL injection bug in vBulletin's forum software.

“vBulletin is a popular target, since compromising a forum site can provide an effective platform for a watering-hole attack,” he said. “In a watering-hole attack, customers of a particular company, or users that share a common interest, can be effectively targeted via the trusted, but now compromised, website. vBulletin itself is a popular community and forum platform, so an unpatched bug in the platform can expose those downstream users to serious risk.”

Organizations that rely on vBulletin to power their community forums should apply this patch immediately.